47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587

General

Target

47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe
Size

857KB
MD5

6606904cf124e2e43df5401efe1aa7f5
SHA1

0700d6cb81beb6a3bb4ff4e941f4e260d7d6795f
SHA256

47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587
SHA512

abc409300b90e0db70a91ea64d8aa14458fdc153be7b228e586deaa3fbef68fb3e42d2a882d1aeaa3f25f325553affb204fed42e056f2b2ff7476050e32e2c13
SSDEEP

12288:2TdHutP4ws2ERwovFRG4zNdE1SqYfsyN1fR8MbbAi77tkmY+V5Ekikwh+:2Ti4L2uwovjGiYFqsS1xbHnY+V5Okx

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1704 powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1704 powershell.exe
2524 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1704 set thread context of 2524 1704 powershell.exe wab.exe
Drops file in Windows directory 1 IoCs

Processes:

47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe

description ioc process

File opened for modification C:\Windows\Brugerkataloget.jag 47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1704 set thread context of 2524	1704	powershell.exe	wab.exe

description	ioc	process
File opened for modification	C:\Windows\Brugerkataloget.jag	47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1704 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1704 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1704	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exepowershell.exe

description	pid	process	target process
PID 1776 wrote to memory of 1704	1776	47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe	powershell.exe
PID 1776 wrote to memory of 1704	1776	47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe	powershell.exe
PID 1776 wrote to memory of 1704	1776	47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe	powershell.exe
PID 1776 wrote to memory of 1704	1776	47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe	powershell.exe
PID 1704 wrote to memory of 2744	1704	powershell.exe	cmd.exe
PID 1704 wrote to memory of 2744	1704	powershell.exe	cmd.exe
PID 1704 wrote to memory of 2744	1704	powershell.exe	cmd.exe
PID 1704 wrote to memory of 2744	1704	powershell.exe	cmd.exe
PID 1704 wrote to memory of 2524	1704	powershell.exe	wab.exe
PID 1704 wrote to memory of 2524	1704	powershell.exe	wab.exe
PID 1704 wrote to memory of 2524	1704	powershell.exe	wab.exe
PID 1704 wrote to memory of 2524	1704	powershell.exe	wab.exe
PID 1704 wrote to memory of 2524	1704	powershell.exe	wab.exe
PID 1704 wrote to memory of 2524	1704	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe
"C:\Users\Admin\AppData\Local\Temp\47c8f1af1f9f8e3a0ad8f359cb14ea08b3261efde59260d8ec5b92d4dfd90587.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Licks=cat 'C:\Users\Admin\AppData\Roaming\sidonian\Bespyttedes.Civ';$Antihumanist=$Licks.substring(41927,3);.$Antihumanist($Licks)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2744

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sidonian\Bespyttedes.Civ

Filesize
78KB

MD5
1ef4bed7239f000331bdf0a88602f2a1

SHA1
e9330cb97761334bc1e3dfeb2594196458547a09

SHA256
b2f0b93f0795e5d02cef80a1a8ffb55470b3d903a08781090c2cef80ba12c2fe

SHA512
3a5073bff3b3d4b6fcd52abedeabc6797a2682d5a676a77c1198da3d26cabd52f82b59ec5d054f0c68aeaa330f33ea70c1746da7e138aa6516bd13163919175a

Download Submit
C:\Users\Admin\AppData\Roaming\sidonian\Silicone.Men

Filesize
300KB

MD5
4941d3dc5698b0ed0e3007a9299e8a91

SHA1
dd0a948f26ddc1c320eadd4878e14b38c8ca17e0

SHA256
6b3e288faec3c663717827c60d1ff261b7e28a4647a9ce1559518544c068d9a6

SHA512
eb0d9cd5de104a4cc5a19cf33b9fbf279a28c19e04afc120b4ca75abf68c03ea47b92ad58a260306d3ec45516c95566185ba510d80aef0ae9af9202676970038

Download Submit
memory/1704-9-0x0000000074481000-0x0000000074482000-memory.dmp

Filesize
4KB

Download
memory/1704-10-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-13-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-12-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-11-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-17-0x00000000066E0000-0x00000000094CA000-memory.dmp

Filesize
45.9MB

Download
memory/1704-18-0x0000000074480000-0x0000000074A2B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-19-0x0000000000390000-0x00000000013F2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing